Establishing an Effective Compliance Function, Essay Example

Introduction

Research Focus, and Rationale

The author of the current study proposal in phase one (Document 3) is looking to explore how compliance is presumed by banks in Oman,  and what role it is expected to play in corporate strategy. The current research is looking to make a contribution to the related literature in establishing and managing an effective compliance function in banks in Oman.

As highlighted in document 2, establishing compliance functions in banks in Oman was mandated by regulators, and expected to go beyond compliance with rules and regulations to manage compliance risk. The regulator have defined compliance risk as one including Legal risk, Operational risk and Reputational risk, as shown in figure 1.

Figure 5: The interconnectivity of definitions of compliance risk

The regulator, however did not specify compliance function’s scope of work in term of activities to be undertaken by compliance functions. It is not defined in a traditional way what the scope of an activity related to compliance is in an organization. The current study attempts to address this gap in corporate structure definition.

The main research question is “what is ‘understood’ and what is ‘expected’ from compliance functions in banks in Oman”. Principles on which previous compliance function research was based were developed outside of Oman, thus not reflecting Oman market’s dynamics. As a result of this gap, compliance function is under pressure in outlining its scope of work.

Areas identified (in document 2) for having impact on compliance activities have social, economic, regulatory and operational dimensions. Moreover international regulations or standards of doing business in the financial sector, such as Anti Money Laundering (AML) standards, sanctioning, and recently, the Foreign Account Tax Compliance Act (FATCA)…etc., have put more emphasis on the role of compliance function. These standards are not legally binding, but have consequences in term of permissions of conducting business, in other words banks need to choose to comply or not. Therefore, compliance management appears to remain a major challenge for banks around the world, and in Oman in particular, and banks need to adapt new approaches to related business decision making.

Critical literature review, carried out in document 2, suggested that compliance is expected to play greater role than merely complying with rules, regulations, and regulatory guidelines in mitigating compliance risk. However, a model could not be found to pave the path for compliance function departments helping them to manage compliance risk as expected by the regulators.

Research carried out in document 3, and later in document 4 will be used in document 5 to suggest ways to establish effective compliance function in banks in Oman. The following table explains the Strategic Question (SQ), Research Questions (RQ), and document allocation for research:

Figure 2: SQ & RQ and document allocation for research

Based on the SQ and RQs, related business and academic literature were reviewed. In document 2, adequate elements were identified and researched, shown in figure 3 of document 2, to develop the conceptual framework, as well as to develop ‘focused’ interview questions to gather relevant information for the qualitative research. In figure 1, the author includes ‘document allocation’ for the SQ and RQ for the present document, and documents 4 and 5.

Document 3 outline

Attempting to develop a ‘model’ for establishing an effective compliance function which can contribute in controlling and managing compliance risk, a conceptual framework is developed to help in theorizing the findings of critical literature review. Then, with the help of the conceptual framework, element identification will be carried out, as shown in figure 2: Identified elements impacting compliance activities, for enabling compliance function to go beyond complying with rules, are compared with factors preventing these element from being embodied in business activities, to establish an effective compliance function.

The methodology, and the suitability of method used for collecting and analyzing the data are discussed including criteria for selecting the sample.

The document is divided into sections with headings, as per the identified elements, in the same structure as in document 2. Each section begins with a brief summary on conclusions drawn from critical literature review, relevant views, statements made while collecting data, and finally conclusions are suggested in answering research questions.

Views gathered on the third RQ, for being more of operational in nature, on ways for internal organization of the compliance function are discussed separately towards the end of this document.

Conceptual Framework: Going beyond regulatory compliance in mitigating compliance risk

Compliance gained importance after the 2008 financial crisis, and was often mentioned when ‘wrong doings’ associated to financial institutions’ activities were investigated. International bodies creating practices and recommendations on compliance recognized the need for going beyond regulatory compliance, in order to manage compliance risk.  Regulatory bodies, however,  did not describe the scope of compliance functions activities in a traditional manner of defining operational scope for business functions.

Fisher and Buglear (2010:134-140) discussed how “Theorising” and formulating a conceptual framework gives a shape or a direction to the study. Following structural approach for identifying concepts and for material collection process in designing the conceptual framework allows the researcher to be more focused on what is being studied. Moreover, the structural approach entails reliance on preliminary understanding or theory. The structure is used to direct the material collection process.

Accordingly, five concepts or elements related to compliance risk were identified in document 2, as shown in figure 3, while their relationship or impact on compliance activities was critically discussed in document 2.

Figure 3: Identified areas impacting compliance activities

Conclusions proposed while critically reviewing the identified areas indicated that elements that are important to creating compliance in business activities are usually confronted with factors hindering the organization in cultivating these elements in business activities.

The conceptual framework, is further illustrated in the in figure 3: Forced Field analysis

Several driving and hindering forces related to compliance were identified in the table below, after reviewing related literature. One of the main restraining forces was the lack of operational scope, which is related to the focus of the current study. While profit maximization refers to the strategic focus of the company and the priorities of the business, just like attitudes and behavior, the business’ inability to measure the negative impact of reputation loss is also related to business functions and organizational strategic thinking. The cost of non-compliance needs to be fully understood by leaders of financial organizations. There are fiscal and non-fiscal consequences of non-compliance. While set penalties and court case settlements can be measured in dollars, it is hard to determine how reputation loss affects profits, as the impact is indirect.

Figure 4: Conceptual framework, Forced Field analysis

As indicated, establishing compliance functions was mandated on banks in Oman by the regulators, thus establishment of a function looking after compliance activities was not a result of internal business requirements and self-regulatory policies. As a result, the greatest challenge of compliance is being correctly understood and accepted by business as a necessity for business. Therefore, compliance functions activities and initiatives are confronted opposite forces negatively impacting compliance functions activities. Positive or the driving forces help cultivating compliance in business activities, while the negative forces or the restraining forces are hindering positive results, preventing the banks from embodying compliance in business activities.

The conceptual framework created during the research will be used to ‘therorize’ a road map for a model for compliance functions in banks in general, and in Oman in particulate to follow. This will enable them establishment of an effective compliance function which can manage compliance risk as per regulators expectations.

Discussion on pairs of opposite forces

Regulatory mandates & expectation Vs lack of defined operational scope

Figure 5: Regulatory mandates & expectation Vs lack of defined operational scope

In Oman, compliance was first introduced in 2006 to banks by the Central Bank of Oman’s (CBO) regulation, mandating banks to establish compliance functions (CBO:2006). The CBO regulation was based on international standards, which define compliance activities for going beyond complying with regulatory guidelines to manage compliance risk; to comply with regulatory guidelines (the driving force), banks have established compliance departments.  However, compliance functions activities are currently limited to complying with rules and regulations for their operational landscape, and strategic compliance initiatives are not clearly defined for business, i.e. the traditional mind set if each function in an organization is responsible for certain activities and its scope of work ends in a defined way e.g. marketing, accounting, legal, retail banking…etc. On the other hand, it is not defined where compliance function scope of work ends to manage compliance risk,  creating an obstacle for compliance officers engaged in activities other than complying with applicable rules and regulations and challenged by business on ‘why compliance is bothered about the matter’.

Thus, the forced field analysis capturing forces in opposite directions promoting compliance role of managing compliance risk by going beyond complying with rules and regulation and to manage compliance risk.

In this document, we shall gather information on these restraining forces in term of Oman market, hoping to answer the Research Questions (RQ), in particular RQ1 and 2.

Organization culture vs Attitude, behavior and individual values

Figure 6: Organization culture vs Attitude, behavior and individual values

Culture plays an important role in strategy implementation, and especially when doing business in countries in the Middle East, where countries are defined by their sense of political and cultural association instead of their geographic boundaries, (Middlekauff: 2008). Compliance principles defined by Basel Committee for banking supervision (BIS: 2005) on establishing compliance function in banks and non-banking financial institutions specified that compliance culture based on values and principles need to encouraged. Compliance must be part of corporate culture, rather than merely focusing on complying with regulatory guidelines. Organizational culture of compliance can be viewed as the safety net from wrong doings. Though organizations may set a mission, vision, and goal at the top of the management, to cultivate compliance culture, it is the attitude and vision of the middle management attitude which really makes a difference. Often initiatives of cultivating organizational culture based on compliance is confronted with individual values and attitude.

We must remember that the Gulf Corporation Council (GCC) countries attract professionals from all over the world, thus organizational culture is also influenced by individual values or ‘culture’, other than the local cultural values.

Acting in the best interest of the society Vs acting in the best interest of the shareholders

Figure 6: Acting in the best interest of the society Vs acting in the best interest of a group

As a suggested conclusion in document 2, Compliance and Corporate governance have a complementing relationship of empowering each other. Corporate governance principles entail that organizations must act responsibly for the overall welfare of the society (and all stakeholders), by using their resources efficiently. Moreover, corporate governance principles promote transparency (reporting the wrong doings) and proper segregation of roles & responsibility and accountability. However, these principles are often confronted with the management’s philosophy of profit maximization and individual gains, limiting the implementation of core principles of corporate governance.  As a result, they negatively impact embodying compliance in business activities.

Using the forced field analysis, we shall evaluate the impact of having a good corporate governance as a responsible person of the society against profit maximization of a business.

Policies & Procedures vs linking compliance strategy to operations

Figure 7: Establishing Policies & Procedures Vs failing to link strategies to operations

Maintaining updated operational documents in the form of “Policies & Procedures” is an effective management tool to direct organizations affairs and operations in a unified manner. The importance of having written operational documents, such as a “code of conduct” in the form of policies & procedures are highlighted by Basel committee, as these documents have a positive impact on managing compliance risk. Moreover, the Committee suggests periodic review of policies & procedures and highlights the role of compliance in the development and review of policies & procedures. However, Morgan et al. (2007) argued that top management generally fails to recognize that any significant shift in strategy (in our case, embodying compliance in activities to mitigate compliance risk) that requires change in day-to-day activities throughout the organization. The emphasis should be on the fact that organizations need to choose to do right things, rather than doing things right. Morgan et al. (2007) suggests that parties throughout the organization must make thousands of small decisions for successful strategy implementation, and without proper directions on best possible decisions, individuals will use different decision rules in choosing their options. Therefore, the benefits of understanding and internalizing strategies are clear: providing directions and decision-making tools for individuals within the organization.

Accordingly, having ‘updated’ policies & procedures will save the organizations from repeated decision making processes on how to manage a particular event have several benefits. If the operational document fails to link strategies with the daily operations, however, the company can see opposite results.

Corporate reputation Vs impact of reputation on business

Figure 8: Good reputation Vs bad reputation

As explained in document 2, BIS (2006) defines reputational risk as an integral part of compliance risk definition. Literature review on corporate reputation shows a clear absence of a commonly accepted definition of corporate reputation. However, the commonly used definition entails presumption of the firm’s past actions and its ability to deliver value outcome to multiple stakeholders, thus it may be established the organization’s ‘good’ reputation has a significant positive impact on achieving its strategic objectives. However, literature suggests difficulties in measuring and correlating the impact of ‘bad’ reputation on business e.g. by change of share value. Therefore quantifying or factoring reputational risk in decision making process is a challenge that compliance departments need to consider when promoting their activities.

Cost of non-compliance Vs lack of ownership

Figure 9: Cost of non-compliance Vs lack of ownership

Penalties imposed by regulators are direct costs of non-compliance. However, organizations get penalized for wrongdoing by an individual or a group of people within the company, who may have benefited the most from the wrongdoing. Therefore, regulators around the world have introduced heaver penalties for non-compliance and unethical conduct on organizations. These stricter criteria were aiming to prevent non-compliance; the same trend was also followed in Oman, where CBO revised its penalty matrix by significantly raising the penalties imposed on banks in case of non-compliance (CBO: 2015). However, literature suggests that lack of accountability on individual basis of who caused the penalties can have limited impact on preventing organizations from non-compliance.  Within financial institutions around the world, there is increasing pressure to hold individuals responsible for their wrongdoings.

Summary of Forced Field Analysis Results

The Forced Field analysis provides an appropriate conceptual framework to picture the forces having positive impact on embodying compliance in business activities of a bank, which are opposed by forces preventing from embodying compliance in the organizations activities.

The conceptual framework will provide an understanding and direction as the following:

How compliance functions should define and promote its scope of activities to manage compliance risk.

Creating suggestions to aid companies to overcome barriers that compliance functions faces when embodying compliance in an organizations’ activities.

Method and Methodology

Methodology

In order to create a framework for financial institutions on integrating compliance in their corporate strategy, several variables for the research need to be determined. To answer the previously highlighted research questions, it is important to define the correlations between an integrated approach towards compliance and compliance levels, as well as the reputation of the organization and the level of compliance.

As discussed in the document 2, the realist approach was identified to be able to evaluate objective and subjective variables impacting the management of compliance function in banks in Oman. The realist approach used in the current research will also allow breaking the problem down to parts, and studding the relationship among them using qualitative and quantitative methods.

The research methodology selected will be based on a combination of quantitative and qualitative research. Interviews will be distributed, featuring two types of questions. One type of question will be open ended, and will require participants to express their opinions and views in their own words, while the other type of questions will have quantifiable data, using Likert scales.

In order to determine the correlation among different variables, based on the principles of the “realist research” principle, the author will take into consideration the complexity of the issues related to compliance. As it has been highlighted before, compliance is impacted by several variables, such as the organization’s culture, regulatory requirements, individual values and visions, corporate strategy and priorities, among others. Therefore, the “realist research” approach will benefit the current research, as it allows the author to break down the issue to different correlated aspects and examine the different layers of compliance, while determining the influential factors.

The methodology will allow the author to measure the impact of companies’ initiatives and internal regulations (strategies) on overall culture, individual employee ethical behavior, and compliance rate. The research will focus on a list of correlated objective and subjective factors of  organizational compliance in financial institutions, in order to gain a full insight into the factors affecting compliance.

The reason why this mixed research method was selected is because it allows the researcher to measure trends, while understanding individual beliefs and management attitudes towards organizational compliance and ethics.

The main focus area of the research will be focusing on creating an effective implementation framework for financial institutions, therefore, it will not only focus on the problems and correlations, but also the determination of “best practices” and most effective ways of implementing compliance in every aspect of doing business, including employee policies and practices, therefore, the descriptive answers will be used to identify patterns and trends within companies that can be used for determining “best practices” for compliance integration into corporate strategies.

Method

Interviews will be carried out among middle management employees within Oman financial institutions to measure their understanding of compliance in general, and to fully grasp their views on rules, regulations, reporting requirements, as well as individual accountability. The descriptive answers will be analyzed using a keyword search to identify trends and themes that regularly occur within the responses. The analysis of results will consist of two different parts. The first part will be based on the qualitative analysis of the descriptive answers provided by the respondents. Using a keyword search, the author will attempt to determine themes and trends within financial institutions in Oman related to attitudes towards compliance, regulation, individual accountability, and internal policies. The second part of the data analysis will focus on determining the mean scores for compliance, attitudes, integration level of the company within the corporate strategy, in order to find meaningful correlations between culture and compliance, strategic compliance documents and level of compliance, employee attitudes and individual level of accountability. The author of the research would also like to measure how well the responsibilities and compliance related tasks are defined in different areas of the organization. As it has been stated previously, compliance policies should not only cover one department’s work, but need to be integrated into the entire corporate strategy.

Ethical reflection and considerations

In order to comply with data protection and corporate regulations, the researcher needed  to seek permission for research from the upper management of the organization. The aim and purpose of the current research will be communicated in writing, and the survey questions were to be disclosed prior to conducting the interviews. Further, members of the management team were  given the chance to sit in the interviews, in order to ensure that no confidential information would be disclosed during the study.

Collaboration with the higher management will be essential for the success of the study. The management will help the researcher identify the most suitable interview candidates.

An informed consent form will be distributed to all employees, in order to comply with the ethical requirements of carrying out business research. Personal details will not be collected, nor employment details, apart from the position within the company and the years of experience in the financial sector. Demographic details will be recorded, but they will be restricted to gender and age brackets (21-35, 36-45, over 45). Based on the ethical principles of conducting research, participants will have an option to withdraw from the study at any point, without providing any reason.

The answers provided by participants will not be disclosed with the management of the company, and they will not have an implication on participants’ employment and career progression.

Criteria for interviewee selection

After consulting with supervisors, considering the objective of the study to propose ways to establish effective compliance function in banks in Oman, it was proposed that the qualitative research in document 3 may include up to 10 interviewees.  Ideally, however,  6 members at senior management level, operating at the capacity of head of business lines and/or their second in command; thereafter, in quantitative research (document 4), will need to be interviewed in order to get sufficient data for drawing conclusions, identifying trends and patterns, and having a large enough sample for the survey.

A wider interviewee group reporting to the staff interviewed in document 3 may be covered to have a wider perspective, and this part of the survey will be designed to generate a “snapshot” of the industry’s views on regulation, accountability, and compliance affected by organizational culture.

Accordingly, two senior staff from each “line of defense” (as explained below) was selected, including senior officials from Retail banking and Wholesale banking, being in the first line of defense; a senior official from risk management and compliance functions, being in the second line of defense; and two senior members from Internal audit department for being in the third line of defense.

Bearing in mind the confidentiality aspect, a summary in table 1, provides information about the interviewees in term of their past and their current job responsibilities.

Although, the information covered in the above cited table about the interviewees are considered to be sufficient for the purpose of the qualitative analysis in document 3, we have also maintained their publicly available profiles on ‘LinkedIn’ in case any participant intended to evaluate in the examination process.

The below table indicates the interviewees’ pseudonym, to comply with data protection and confidentiality regulations,  a brief reference to their past and current responsibilities, and theory’s role mapped to the above mentioned line of defense.

Table 1: Interviewees’ pseudonym, profile and line of defense

The interviews were conducted based on the identified gaps in the critical literature review in document 2. Details of the interviews in terms of language, time and record keeping are explained in appendix (   ).

While tape recording was considered as the first choice for interview records keeping, people got very sensitive on recording their voices after the Arab spring. Moreover the wide use of social media base communication technology, specifically ‘Whatsapp’ application; resulted in people preferring not to be tape recorded. Accordingly, the interviews were deleted only a few minutes immediately after the interviews.

Considering the rules of confidentiality and easy reference, the interviews shall be referred by a ‘code name’

The Three lines of defense

Figure 8: The three lines of defense

The Institute of Internal auditors (IIA) (2013) referred to the concept of the “three lines of defense” (3LD) aiming to assign specific roles to units and departments to effectively manage risk, avoid operational gaps & duplicity and enhance coordination. The concept is beneficial for risk and control professionals to define their roles and responsibilities in term of risk and control management. The paper explains that a risk management framework may identify risks that an organization may face and control in general terms.  These risk frameworks do not clearly indicate specific duties, which should be assigned and coordinated within the organization.

As shown in figure 8, the 3LD model classify management control functions which owns and manages risks, as the first line of defense. For instance, the management needs to establish all required measures to identify and control risk in a business transaction. Functions that oversee risks including compliance and risk monitoring are the responsibility of the second line of defense. Functions in the second line of defense help managers in the first line of defense to identify and cover risk and control gaps,  if there are any.

The third line of defense refers to a business function that provides independent high level assurance to the Board and the senior management, this responsibility is mapped to the internal audit department.

The 3LD model also recognizes the impact the external parties, such as the regulators and the external auditors, may have on the functions mentioned in the model.  For example the CBO regulation mandating complained department to report to the Board or Boards sub-committee. However the risk information assessed by the external parties are less extensive than the scope addressed by the three lines of defense.

As this research aims to explore ways to establish effective compliance function, including outlining the operational landscape for compliance functions activities, all three lines of compliance defense need to be covered in the study. The 3LD model provided a good framework for selecting interviewees. Learning about presumptions and expectations of functions covered in the model will help in achieving research objective.

Importance of the topic for academic and business research

Getting started: how the materials were collected

As indicated in document 2, semi-structural interviews provided a good foundation to learn about the interviewee’s presumptions and expectations from compliance functions, thus offered satisfactory material for document 3. To stay focused on the subject matter, 10 interview questions were developed and mapped to research questions as explained in Appendix B. As the ‘banking language’ in Oman is English, (most of CBO guidelines are issued in English), questions were asked and answered in English, with some exceptions. Some Omani managers switched between English and Arabic several times during the interviews.

Interviews were conducted in person by requesting the interviews to meet in a location as per the participant’s convenience. 3 interviews were conducted in interviewees’ offices, and others were in a cafes, this encouraged easy flow of thoughts. The purpose of the meetings was described in brief when requesting to meet, however explained in detail in the meeting. A purpose of research document was created and disclosed with participants, and interviewees were requested to sign the “informed consent” document before proceeding with their participation. The interviewees were informed about the ethical approval, and their right to withdraw from the study at any time they wish, however, before formalizing the study. Tape recording of the interviews was proposed, however, it was not received well, as 4 out of the 6 interviewees are working in the same organization as myself. Moreover, following the Arab spring in 2011, people became more cautious of being traced in social media, therefore, notes were taken during the interviews and details minutes was drafted in the next day of the interview. However, it’s worth mentioning, in two instances interviewees stopped talking when the researcher started taking notes, in such cases, not to interrupt the flow of thought the researcher stopped writing.

Interviewees were provided with closing notes on points discussed, allowing them to validate their responses, to ensure that all statements given during the interview were understood correctly.

Mind map

Once the interviews were noted down, keywords, concepts and statements mentioned by participants were highlighted and mapped to research questions.

Following the change in research focus as presented in document 2, from the importance of maintaining policies and procedures to ways to establish effective compliance function in banks in Oman, the researcher wrote the following topic identification note:

“Prescribed principles explain that the compliance function’s role goes beyond regulatory compliance in mitigating compliance risk, however the scope of activities the compliance function needs to undertake are not defined. Also, the regulator i.e. CBO, had provided guidelines to position the compliance function within a bank and outlined reporting mechanisms, yet no guidelines were prescribed on how the compliance function should be internally organized” (Albulushi, 2015: 8).

As previously indicated,  introducing compliance in banks in Oman was a result of regulatory mandate. The need of the function was not self-realization of financial businesses, therefore it was felt that the role of compliance function was not unanimously understood.

The outcome of research in this document seems to address research questions identified, moreover, there research brought more the interesting relevant topics which shall be covered in document 4 and 5.

We will start by selecting the statements made relating to the barriers to embody compliance in in business activities. As indicated, out of 10 interview questions developed for the semi-structured interviews, 8 were mapped to this research question (see appendix B: mapping interview questions to research questions). Based on critical literature review, these questions were developed on the assumption that compliance activities’ scope of work is not understood and are not clearly defined.  Accordingly, different individuals have their own presumptions and expectations from compliance function.  Interestingly, this was noted at every interview. Interviewees defined compliance depending on their line of business (or line of defense) they belong, using many different words to explain their understanding of the concept of compliance. When asked about what compliance means and what role it plays in banking system; Hilal said:

 “compliance is our voice to the regulator [business lines], and must support and  communicate with the regulator in favorable manner to open new avenues to do business, compliance is a blessing for business and we greatly benefit from compliance department’s advise when launching new product or service, compliance is a blessing for business, as I don’t want to introduce a product which may breach any laws and regulations. Whenever a product is being designed we benefit from compliance departments feedback.

Nasser said:

“Compliance is ‘Ethics’ and it guides the bank on how to do the right things”,  Interestingly,  Abdullah shared similar views on compliance by stating that “compliance is the guardian of ethical conduct”. Yasser stated:  “in Oman compliance means complying with rules and regulation”.

Omar responded: “compliance needs to consider established rules and regulations to maintain order. It is a process to guide in coordination with the regulator on how to comply with the legal framework”.  

In order to recommend what to be considered when establishing an effective compliance function in a bank in Oman [SQ], it was believed to be important to gather views on how compliance is perceived and what is expected from it to determined its effectiveness.

Opinion gathered in the interviewees on relevance and importance of the topic suggests that importance of compliance function is sensed, however a clear understanding of its activities in term of expectations varies among parties, showing a ‘gap’.

Presumptions gathered on compliance functions activities will help in partly addressing the first research question of “what are the barriers for embodying compliance in business activities”. It was important to gather presumptions on compliance functions activities to identify gaps in understandings and expectations of parties, and suggest ways to breach the gaps seems important for the research and analysis for both the academic and business world.

The analysis are split in two sections:

• Analysis one:  To examine the correlation of concepts/areas identified in the critical literature review carried out in document 2, for going beyond regulatory mandates to manage compliance risk.
• Analysis two: To evaluate findings from interviews and concepts/areas identified if they support and fit the forced field analysis?
• Analysis one: Examining concepts/ areas enabling compliance to go beyond regulatory compliance to avoid compliance risk
• Compliance: Presumptions & Expectations

The critical literature review suggested that there is no universally accepted definition of the term ‘compliance’, interested parties on compliance studies and practices, including regulators, have prescribed organization wised frameworks which includes, Corporate Reputation, Culture, Ethics, Corporate Governance and Policies & Procedures, as shown in figure 000, when discussing compliance. On the other hand, difference of opinion is evident in defining compliance functions scope of work, to comply with rules and regulation or to adhere to principles beyond the prescribed rules & regulations.

Accordingly information were gathered in this document via semi structured interviews, to examine the general ‘presumptions’ about compliance activities and ‘expectation’ from compliance functions, this also partially addresses the First and the Second RQs, of ‘barriers’ for embodying compliance and presumptions on relationship between business and compliance.

In relation to the meaning and expectations of/from compliance and compliance risk, Hilal said: Compliance is our voice [business lines] with the regulator, compliance must support business by communicating with the regulators in a favorable manner for new business venues, and compliance risk means assisting business in not breaching any laws and regulations, everybody in the organization is responsible for compliance. Where Yasser said: Compliance is still evolving, and in Oman compliance is adhering to rules & regulation, and managing compliance risk is greatly important, and head of compliance is responsible for compliance.  Tariq was also of an equal view by saying: compliance means complying with regulatory orders and laws from different regulations including international laws…

Compliance is ethics, it’s abiding the profound principles of teaching of our religion [Islam] and it’s embodied in our culture, an organization known for its noncompliance might make short term gains but will not last, unwritten laws must be respected too; Compliance responsibilities are shared by everybody including the society, however it is the Board of directors responsible to enforce creating a culture of compliance (Nasser).

Interestingly similar position was also taken by Abdullah, where he said: compliance is very important function which gained importance after 2008 financial crisis …compliance is the guardian of ethical practices and is the responsibility of the Board of Director.

Omar’s explained his views on the meaning of compliance and compliance risk by saying: compliance needs to consider standards in term of rules and regulation which were put in place to organize businesses. Where compliance risk means failing to comply with applicable rules and regulations which may result in penalties. He elaborated that: legal risk is different from compliance risk for being dependent on court procedures, where for compliance risk, the regulator may imposes penalties directly [in Oman CBO and CMA have powers to penalize organization directly without routing the case thought the court].

Conclusion

It is evident from the information gathered from interviewees that a ‘gap’ exists in ‘presumption’ and ‘expectation’ of and from compliance function as indicated in document 2, which may be considered as the most important ‘barriers’ in embodying compliance in business activities of a bank [RQs 1&2]. Though all the interviewees agreed on the importance of compliance functions role, the ‘dispersed’ presumptions and expectations from compliance was ‘surprisingly’ alarming for the researcher, especially if the seniority of the interviewees are considered. Moreover, it was observed that the interviewees could not properly define compliance functions role. However greatly ‘agree’ that compliance ‘means’ complying with rules and regulations. Further, 2 interviewees mentioned a principle, ‘Ethics’, compliance function need to consider, however,  none of the interviewees stressed on compliance functions role in managing compliance risk.

Information gathered in interviewees concurs the apposite forces, driving and restraining embodying compliance in business activity as shown in figure: 00.

When asked about compliance enabling factors, as discussed by leading bodies all the interviewees agreed on the concepts/ areas are important for compliance, however each of has his point of view on each enabler as the following:

The Safety Net for Compliance: Corporate Culture based on ‘Values’

The critical literature review suggested a strong ‘complementing’ relationship among corporate culture based on good principles and compliance functions activities; i.e. it it’s easier to encourage compliance related activities in an organization with a good corporate culture, where business decisions are made based on good cultural principles such as ‘Ethics, Honesty and Trust’; In the same way the in order for compliance function to contribute effectively in managing compliance risk, it must work in cultivating a culture based on good cultural values.

In document 2, the researcher wrote on the objective of corporate culture:

The objective is to appreciate the significance of corporate culture in managing compliance risk, and evaluate how the compliance function can perform its role in cultivating and contributing to enhancing corporate culture for effective compliance risk management (Albulushi, 2015:23)

After studying of a number of definitions of organization culture the researcher had proposed in document 2,  the following definition of corporate culture for the limited purpose of this study will be implemented:

“a state of mind which has emerged over time, is inherited, and, which can be developed to enable management of future events in a certain accepted way by a group of people sharing the same values and purpose” (Albulushi, 2015:25).

Accordingly, the statements made in interviews relating to culture and values are highlighted herein:

Hilal said: “organization culture plays great role for compliance, as everybody wants to be on the safe side, Oman’s culture is very healthy for compliance”. The same view was also shared by Nasser who stated that “culture is very important for compliance explaining that ethical values are embodied in the country’s [Oman’s] culture which can be concluded from public protests which took place in year 2011, where people marched on streets demanding the government to fight corruption”.

Yasser said: “culture plays an important role for compliance risk management, and people have [in Oman] the tendency to comply. However, they don’t understand the reason for complying…, if people made to understand the reasons, they may comply in better ways”.

Abdullah raised a very interesting point by saying:  “No doubt that the culture is significant for compliance risk management, however, in Oman people are culturally tuned to show for being loyal or faithful to their colleagues compared to the organization. It is culturally accepted to avoid reporting on colleagues on wrong doings especially if reporting may result in legal proceedings or disciplinary actions”.

On the other hand, Omar expressed his opinion by commenting on the question for being ‘tricky’; he said: “starting with code of life according to Islam’s teachings of good principles e.g. prohibition of cheating and lying…etc., in Oman, people have high tendency to ‘comply’ with codes, norms, rules and regulations. However, I notice that undesirable actions can be observed which might be as a result of weak educational system”. He added: “so far, we are fine, however, if the educational system did not improve addressing these actions, one day we will reach an alarming position”.  Contrarily, Tariq, when asked about importance of culture for compliance stated: “culture plays very important role, however in Oman people tend not to comply, which can be concluded from increasing traffic accidents [explaining] this is due to lack of awareness and lenient penalties”.

Conclusion

Opinions gathered from interviews relates to what has been highlighted in in critical literature review, in document 2: on the importance of culture in mitigating compliance risk. However, the interviews also revealed the impact and existence of individual values which may conflict with organizational values, as clearly mentioned by Abdullah. Moreover, the level of adherence to good principles and values are also impacted by factors negatively influencing culture, such as lenient penalties and or being able to ‘get away’ with the wrong doing.

Rowe (2010), stated that creating compliance culture requires changing staff presumptions at all levels, in addition to a change in processes and technology to align them with organizations objectives. the same is depicted from the forced field analysis, where the ‘appreciation’ of good organization culture which is based on good cultural values and ethics are important for compliance functions activities, are restrained by individual values, attitude, behaviors. Views gathered on important of culture for effective compliance functions activities will be used to answer RQs1 and 2.

Corporate Governance

In constructing the conceptual framework on corporate governance in document 2, the researcher suggested a new definition to be used for the purpose of the study. The definition states that corporate governance defines management philosophy which organization adopt for doing business. Management philosophy, besides decision making, also includes controlling and reporting on organizations matters to stakeholders on the utilization of societies’ resources in a transparent way.

Literature review highlighted the importance of empowering compliance function, in order to enable the function to perform effectively, and report on adhering to rules & regulations, unfair practices and code of conduct. As indicated in the 3LD model, compliance and risk management are identified as monitoring and reporting functions.

Bies (2003) argued for strengthening the compliance function through corporate governance, noting that scandals had happened in organizations because the management  had lost their sense of direction for good corporate governance and ethical conduct. In Oman, CBO (2006) in its regulation document on compliance function noted that compliance leads to good corporate governance, and compliance role also includes maintaining public trust, i.e. enforcing corporate governance.

In similar lines, Dray (2010) stated that the code of corporate governance in Oman was developed considering best practices in order to promote a culture of compliance, transparency and good conduct, however the author notes that some traits  are specific to Oman. Transparency or disclosure are not at its best levels, which defeats the purpose of having a code for corporate governance (Kanukuntla & Rao: 2004).

Good conduct and reporting was discussed in the interviews as the following:

When the interviewees were asked for their opinion on reporting wrongdoings and non-compliance within and outside the organization; Nasser, Tariq and Abdullah were ‘confident’ in expressing their views that wrongdoing must be reported.  Abdullah, however, showed concerns by saying: there are no assurances of what could be the result of reporting the wrongdoings [indicating on regulator’s and public reaction].  The same concern was also shared by Tariq, however in different words by saying: we get scared of the consequences of reporting. On the other hand, the remaining 3 interviewees had slightly different views on reporting the wrong doings as the following.

Hilal explained: reporting of wrongdoings depends on a mixture of elements which need to be considered before reporting, Impact on business and people reactions must be thought of, we in Oman are a small society, one needs to be cautious of the consequence especially if the same goes viral in the social media.

Yasser also expressed his views on the aftermath of reporting by saying: the impact of reporting need to be thought of, in some cases what has been reported can have negative impact [on the business], giving an example of a resent fraud accrued on many banks Automated Teller Machines (ATMs) where one bank choose to report the incident and other banks did not, concluding that the reporting bank was penalized for doing the right thing for reporting.

Omar emphasized: if someone wants to cultivate a good compliance culture, wrongdoings must be reported. However reporting need to be classified [in term of what need to be reported], proposing a solution by saying:  the regulator should tell organizations on what need to be reported and identify ‘Zones’, because not all matters need to be reported.

Conclusion

From the information gathered in the interviews, and the conceptual framework established in document 2; it is evident that the there is a disparity on some aspect for implementing sound corporate governance standards which compliance managers need to considered in their attempt to establish effective compliance function. The disparity exists mainly in terms of transparency and/or reporting of wrongdoing. The interviewees expressed their views on reporting is the ‘right thing to do’, however, they were equally concerned of the impact of ‘doing the right thing’ may have on business profitability.

Conclusion proposed in literature review suggested that good corporate governance facilitates compliance activities. However, from the views gathered during the interviews it was revealed that principles of corporate governance, i.e. transparency and fair conduct may be overruled by the business or individual to maintain profitability, as illustrated in figure 00, showing driving and restraining forces for embodying compliance in business activities. It is clear that implementing core principle of corporate governance in an organization is a barrier [RQ1].  An effective compliance function needs to consider in their operational activities how to cultivate a culture of compliance in an organization. Moreover, at this point it worth mentioning that improving awareness and training for people to understand the reasons for their action will greatly help employees and managers to comply in better way.

Following the discussion made in document 2 on ‘operational documents’ in term of policies, procedures, manuals, memos…etc. an organization maintains to define the acceptable ways in handling the daily operational activities, P&P facilitates also facilitate in linking strategies with actions.  In our case, embodying compliance in organization may be considered as a strategy which requires to be translated in actions. Moreover, literature review carried out in document 2 suggests that there is an increasing trend among regulators, emphasizing on availability of appropriate P&P for effective risk management including compliance risk.

BIS (2014), stressed on the importance of the maintaining “current” P&P which are clearly communicated thought-out the organization. P&P are mechanisms to control events before they happen (Page 2008), thus contribute in managing compliance risk.

Moreover, it was highlighted in document 2, that the study of P&P is an often overlooked area in Oman, and work on P&P found to be taken place in the west failing to recognize the local dynamics of Omani market. Compliance functions role in developing and maintaining P&P to manage compliance risk has been identified for further research to answer the first RQ on “barriers to embody compliance”.

When asking the interviewees on the importance of P&P and training for helping compliance functions activities, all of the interviewees have agreed that P&P are vital for compliance. However Hilal, made a comment in line with what the literature review: its very important [P&P] and can help business greatly, but the problem is updating the manuals. Explaining: business transactions have grown in size and changes in shape, if the manuals are not up to date accommodating “current” situations people will stop using them….. Giving an example of how housing loans operational documents were a hindrance for business. He further raised an interesting point by saying: people has the tendency for ‘not’ reading, just like when we don’t read the Holy Qur’an [ the holibook in Islam] and forgot about the good principles.

Where Yasser and Nasser agreed on the importance of P&P, Yasser mentioned: P&P and trainings are very important, especially in educating people on reasons for compliance. On the same lines Nasser also noted that: … sometimes people don’t understand the objective of actions they have been asked to do.

On the Other hand, Abdullah touched on the importance of P&P as a mechanism to enable improvement by saying:  it’s easier to add value on department’s work, stressing, if people know what action they are required to take it will help compliance.

Similarly, Omar lay emphasis on awareness when saying: compliance as a function is responsible to devise mechanisms to comply with rules & regulations, and enhance the overall awareness level by making people understand. Further, compliance may define ‘red’ or ‘no go’ zones to stop people from non-compliance. He summarized by saying: if P&P are developed with all stakeholders input, it can be very value able to the organization.

P&P are very important for compliance, especially it will help in creating a culture of compliance (Tariq).

Conclusion

Accordingly, opinions obtained from interviews are in line with the conclusion reached in the literature review related to the importance of P&P for compliance activities. Interview results have emphasized on importance of awareness of reasons to comply will increase the chances to comply. Compliance needs to play a role in putting in place proper P&P to management compliance risk. However, keeping P&P up to date is a challenge or a barrier, [RQ1] which needs to be thought of, in order to operationalize strategies; as also shown in the forced field analysis in figure 00.

Corporate Reputation   

Reputational risk is an integral part of the compliance risk, as defined by the Basel committee for banking supervision (BIS: 2005). The critical literature review carried out in document 2 suggests that there is increasing attention of corporate reputation in recent years. Still, an accepted standard definition of corporate reputation is still lacking. Moreover, difficulty in operationalizing corporate reputation definition, and the ongoing need for more developed theory is observed (Walker 2010).

Considering the literature reviews carried out in document 2, the researcher suggested that for the purpose of this study, examining corporate reputation from compliance functions’ point of view; corporate reputation will be viewed based on the following definition:

“Is a state of mind or a presumption; someone will have from past actions and/or events pertaining to an entity effecting future dealings or judgments about that entity”. (Albalushi : 2015: 53-54)

BIS (2014) explained on the dimensions of corporate reputation from the compliance perspective. Compliance functions being the nodal point with the regulators on compliance related matters, they need to consider their activities from a reputational risk perspective for effective activities.

However, methods of operationalizing management and strategies to manage compliance risk is gap identified in literature. Literature review also suggested that there are many advantages for good reputation, including reducing the regulatory cost, and leveraging on customers on high opinion of the organization. However, it is noted that while there are studies demonstrating that bad reputation has a negative impact on the corporate performance, there are no studies affirming that good reputation enhances its shares value,  or the benefits of good reputation can be quantified. Researchers also recognize that more work needs to be carried out on reputational risk management (Raskin, 2013).

When asked about corporate reputation, interestingly all the interviewees shared the view that corporate reputation is very important for a bank. However, they had their own presumption of corporate reputation and on how important it is for compliance to avoid reputational risk. For  instance, Nasser said: reputation is very important, especially with the use of social media, reputational risk is gaining even more importance. And compliance is very important to avoid reputational risk as it guide business to do the right thing.

In the same lines Yasser said: Reputation risk is very important and can have great impact, [giving an example of a bank], where the customer service staff told customers that the branch is out of cash, the customer assumed that the bank is out of cash and customers money are not safe, customers started to stand in ques to claim their money, Yasser said: had other banks in the area did not help by transferring cash to meet customers demand, the crisis could have resulted in a run on the bank. Emphasizing that: compliance should not be looked at as a burden, business should appreciate that compliance is there to help them to do business. Yasser’s comments had 2 dimensions; the first one being on the importance of reputational risk and the second one is the absence of guidelines [Policies & Procedures] in case of such an event happens.

On the other hand, Omar and Abdullah, while submitting the importance of reputational risk for business,  have highlighted that the impact of the reputation is dependent on the level of audiences’ awareness.  Omar emphasized: reputation matters for people who are aware of it, stating that: compliance is a process to help clearing ambiguity and guide business…  Abdullah confirmed the above by saying: reputation is important, however in the absence of mature media it is a bit difficult to measure the impact of reputation on the organization, e.g. non-compliance are noted in the financials reports of banks, however very limited recipients understand and/or depends on such sources for their actions. Moreover, to measure the impact of reputation, information need to be ‘timely’ which I don’t think is available in our market.

In his response to reputational risk, Hilal focused on ‘managing’ the reputational risk, he explained: it [the reputation] really depends on the nature of the incident and how it has been managed, if you have all business transactions going fine and have very few breaches the matters need ‘not’ to be managed [reported].

Conclusion

Information gathered in interviews on reputational risk and compliance functions confirms the  conclusion proposed in critical literature review. Different presumption of corporate reputational and how to management it exists. Moreover, as presented in the opposite force field parties appreciate the fact that reputational risk is vital for business however also demonstrate the challenge for not being able to measure it benefits.

Views gathered will help in addressing the first research questions of barriers to embody compliance in the business activities; and the second research question: the presumption of the middle management of compliance risk and its relationship with the business.

How to internally organize the compliance function, RQ3   

Attempting to develop a model on what needs to be considered in establishing effective compliance functions in banks in Oman [SR], it was observed that literature issued by leading bodies (e.g. Basel Committee) recognize business dynamics and suggests several ways to internally organize the compliance function. Following the regulatory guidelines for establishing compliance functions in banks, it is clear that compliance functions internally organized themselves differently. Therefore, it is believed to be appropriate to develop a RQ to gather views mainly from compliance professionals,  to suggest an internal structure for effective management of compliance function. The framework will help the researcher identify ways to best utilize the interviewing opportunity the RQ was extended to all interviewees covered, more focus on compliance professional may be covered in document 4.

Regulatory guidelines in Oman on compliance function in banks require the establishment of a compliance department to manage compliance risk.  At the same time,  compliance functions mainly undertake supervising AML & KYC activities, Review of P&P, Advisory activities (e.g. introducing a banking product), regulatory testing, following up, and reporting on regulatory observations made in examination reports, and self-certifying on compliance were found to be functions performed by compliance managers.